Almost immediate disconnects caused by port scanning

thealien · Post by **thealien** » Thu Aug 04, 2011 10:26 pm

I am running build 384 on four different servers(two Win2003, two Win2008) in sftp mode, in different environments. Both started dropping incoming connections almost immediately after I tried to put them into a load balanced pool, but the load balancer itself isn't the issue. Either the connection doesn't quite complete, or it does and almost immediately disconnects. The client gets a generic "The server unexpectedly closed the connection." type of error in that case.

I have been able to replicate the problem by setting up a test server and having a port scanner do a tcp connect to port 22 every 2 seconds. It just connects and immediately disconnects, the same way the load balancer probes do. (I'm doing "nmap -sT -p 22 X.X.X.X" every two seconds.) If the every-two-seconds port scan is on, I have the problem. If I turn it off, I don't have the problem.

Here's an example from the logs:

[20110804 15:34:41] [(load balancer)] connecting
[20110804 15:34:41] [(sftp client)] connected
[20110804 15:34:41] [(load balancer)] disconnected ((null))
[20110804 15:34:43] [(load balancer)] connecting
[20110804 15:34:43] [(load balancer)] connected
[20110804 15:34:43] [(load balancer)] disconnected ((null))
[20110804 15:34:43] [(sftp client)] connecting
[20110804 15:34:43] [(sftp client)] connected
[20110804 15:34:44] [(sftp client)] user 'username' sent
[20110804 15:34:44] [(sftp client)] USER-PASS (username) success
[20110804 15:34:44] [(sftp client)] LIST success - /
[20110804 15:34:44] [(sftp client)] disconnected (username)
[20110804 15:34:45] [(load balancer)] connecting
[20110804 15:34:45] [(load balancer)] connected
[20110804 15:34:45] [(load balancer)] disconnected ((null))

Is there some setting I'm missing that would cause this?

Thank you.

Post by **ForumAdmin** » Fri Aug 05, 2011 6:34 pm

For your test, you'll need to increase the "max conns per IP" setting in your domain setup. It will auto-ban connections from an IP if it exceeds the default number (3).

It's not recommended you go above this for a production server.

thealien · Post by **thealien** » Fri Aug 05, 2011 6:52 pm

The client getting disconnected and the probe from the load balancer(or the random other server I launched the port scan from) are different IPs.

The max conns per ip is already at 200.

Post by **ForumAdmin** » Thu Aug 11, 2011 2:04 pm

What's the nmap -sT command actually doing? If you do not log on or fail the logon, it will also auto-ban the IP after a few tries.

thealien · Post by **thealien** » Thu Aug 11, 2011 4:58 pm

It just opens the tcp connection as minimally as possible and then immediately disconnects. Not what I would have chosen to use for a load balancer test, but I don't control that aspect of the environment.

The load balancer is just using a tcp connect, I used that configuration of nmap every two seconds to mimic it for testing.